PThe NJCCIC continues to receive reports of gift card scams attempting to steal personally identifiable information (PII) or extort funds. Threat actors impersonate trusted entities, such as a CEO or fellow employee, through various social engineering schemes, including email, SMS text messaging, and phone calls, to initiate fraudulent requests. An example of a gift card scam was shared with the NJCCIC and involved threat actors impersonating the executive of an organization and sending fraudulent SMS text messages to several employees to convince them to purchase gift cards. Communications begin with threat actors sending brief messages posing as a trusted entity and asking if potential victims are available. If the intended target replies, the scammer sends a request urging the potential victim to purchase gift cards and respond with the numbers found on the back of the cards. If submitted, the threat actors can use the gift card’s funds without the physical card since the funds are not linked to a specific person or entity. Additionally, victims typically will not be able to recover the funds used for purchasing the gift cards – even if the purchase was made by credit card – because the victim initiated the transaction, resulting in significant monetary losses.

What Should I Do?

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. We remind users to refrain from complying with requests to purchase gift cards and sending the numbers to someone without first verifying the request via a separate means of communication. These are unusual requests or demands typically portraying a sense of urgency and, therefore, should be handled with increased suspicion. If gift card information is sent, immediately contact the company who issued the gift card to inquire if the funds are still on the gift card and can be frozen.

We encourage users to report cyber incidents via the NJCCIC Cyber Incident Report Form, the FTC Complaint website, and the FBI’s Internet Crime Complaint Center (IC3) website. For any further questions, contact us here at Cyber Command.